Agencies lag in IT continuity plans

Many agencies will likely miss the May 3 deadline for IT continuity-of-operations plans, a congressional overseer says.

Agencies aren't prepared, said Robert F. Dacey, General Accounting Office director of information security issues. He spoke this month at a conference hosted by the National Institute of Standards and Technology.

Increased reliance on IT is a growing risk for the government, Dacey said, because audits by GAO and agency inspectors general have found serious weaknesses in IT disaster recovery plans at 19 of 24 executive agencies. The most common weaknesses are incomplete or untested plans and lack of protected backup data.

Presidential Decision Directive 63 called for agencies to have plans in place by May 3, and the events of Sept. 11 dramatized the need, said Erika Langerman, chief of information security for the Joint Chiefs of Staff.

Langerman was at the Pentagon when it was struck by a hijacked airliner. 'There was a lot of confusion,' she said. Cell phones did not work, and contradictory instructions were given to staff evacuated from the Pentagon.Only key military personnel initially were allowed back in, although much of the IT systems operation was outsourced. 'I had to do some fast talking' to get essential contractor personnel back into the Pentagon, Langerman said.

Plans are just paper

Military planners and decision-makers have come to rely on near-real-time information, Langerman said, sometimes expecting data to be refreshed every 90 seconds.

Continuity plans are useful only if tested, she and others said. 'Without a lot of practice, these drills can become disjointed,' she said.

Interdependence of systems is another overlooked threat, said Ron S. Ross, director of the National Information Assurance Partnership.

'Complexity is the No. 1 enemy of security,' Ross said.

Former House speaker Newt Gingrich told the NIST conference that the United States is unprepared to meet the dangers that are posed by increasingly complex systems.

'Unless we invest dramatically more in research, we will not be able to sustain our role in the world,' said Gingrich, who now heads a management consulting firm in Atlanta.

He predicted that sophisticated, well-funded hacking will become a greater threat to the United States in the 21st century than physical attacks.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.